Posted
by
msmash
on Friday August 18, 2017 @02:00PM
from the need-upgrade dept.

An anonymous reader shares a report: When staff at CyberKeel investigated email activity at a medium-sized shipping firm, they made a shocking discovery. "Someone had hacked into the systems of the company and planted a small virus," explains co-founder Lars Jensen. "They would then monitor all emails to and from people in the finance department." Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number. "Several million dollars," says Mr Jensen, were transferred to the hackers before the company cottoned on. After the NotPetya cyber-attack in June, major firms including shipping giant Maersk were badly affected. In fact, Maersk revealed this week that the incident could cost it as much as $300 million in profits. But Mr Jensen has long believed that that the shipping industry needs to protect itself better against hackers -- the fraud case dealt with by CyberKeel was just another example. The firm was launched more than three years ago after Mr Jensen teamed up with business partner Morten Schenk, a former lieutenant in the Danish military who Jensen describes as "one of those guys who could hack almost anything." They wanted to offer penetration testing -- investigative tests of security -- to shipping companies. The initial response they got, however, was far from rosy.

It really doesn't matter and it still highlights that segmenting your network is a good idea.

Different parts of the business shall be isolated from each other and avoid central servers. Using well-defined interfaces between the different business areas and closing all the traffic between the segments from all non-essential traffic is also important.

They are basically autonoumous right now. A half-a-mile long ship carrying a billion dollar worth of goods is typicall manned by three people, the captain, the engineer and the cook. An autonomous sailing ship could get rid of those people.

They are basically autonoumous right now. A half-a-mile long ship carrying a billion dollar worth of goods is typicall manned by three people, the captain, the engineer and the cook. An autonomous sailing ship could get rid of those people.

Is this how a US Navy ship ran into a cargo ship? Cargo ship was in auto pilot and didn't yield? Although, my understanding is the Navy ship should have yielded in any case.

From the reports that I've read, the destroyer made a series of sudden course changes in a crowded channel before being t-bone by the freighter. The Navy had recently announced that they were disciplining everyone who was on duty at the time of the accident.

hmm.. first, I would have been "t-boned" not "t-bone". Second, being t-boned means a side collision in a middle of the car, usually at 90 degrees. None of this applies in this case since the ship was hit in the font part with an angle.

Also, when you get t-boned, your vehicle looks like a t-bone afterwards.

No deck crew? You really expect the officers or the cook to handle lines? I don't think they're manned by just three. Container ships carrying the refrigerated containers usually have at least three people just to watch those things. They've been known to be less than perfectly reliable. The totally automated vessels need to have a lot more redundant systems than do the less automated ones. I have to wonder whether the people (like Rolls Royce) who are trying to sell these hugely expensive automation system

"They are basically autonoumous right now. A half-a-mile long ship carrying a billion dollar worth of goods is typicall manned by three people, the captain, the engineer and the cook."

Where do you get this shit from? There's all kinds of people in the engine room, there's people running around checking for pirates, there's people checking the containers. there's people tightening the cables, people manning the refrigeration systems, the electrical systems...

"They are basically autonoumous right now. A half-a-mile long ship carrying a billion dollar worth of goods is typicall manned by three people, the captain, the engineer and the cook."

Where do you get this shit from? There's all kinds of people in the engine room, there's people running around checking for pirates, there's people checking the containers. there's people tightening the cables, people manning the refrigeration systems, the electrical systems...

You must be a programmer to have such a childishly naive view of the real world. Stick to keyboards with your slender fingers.

"They are basically autonoumous right now. A half-a-mile long ship carrying a billion dollar worth of goods is typicall manned by three people, the captain, the engineer and the cook."

Where do you get this shit from? There's all kinds of people in the engine room, there's people running around checking for pirates, there's people checking the containers. there's people tightening the cables, people manning the refrigeration systems, the electrical systems...

You must be a programmer to have such a childishly naive view of the real world. Stick to keyboards with your slender fingers.

Interesting. I was thinking the line from the 1947 movie "The Ghost and Mrs. Muir" as Rex Harrison as a crusty old sea captain says something like "typical landlubbers don't know it is ships and men that bring them precious goods from far away lands." And how Europeans particularly England became a global force with transoceanic commerce and warships to dominate countries on the other side of the world. Also debated what if China (Ming Dynasty) maintained their large navies (debate is they were faced with t

Key management and encryption standards. Too many people are positioned to make their platform/product THE industry standard (for a small per transaction fee, of course). Rather than getting behind a distributed peer-to-peer solution. And when the industry or government puts together a working group to propose an open solution, the leading providers just send Goober to sit on the committee and mess things up.

Back in the old days, things happened on the Internet before the big players caught on. Now they ha

Even if the emails are sent over SMTP-TLS and the emails themselves are signed and encrypted, the workstations of the people in finance could be targeted via a spear-phising attack. A trojan could alter the text as their email client displays it. Companies really need to treat those devices with special care and extra doses of paranoia.

Transferring millions to an account number found in an email ? That sounds dumb to me.... But at the end there is always a human that makes mistakes. I guess every industries should learn from this 'incident'... Never trust emails for conducting business. Pick up the phone!

Large companies often have this problem. At the end of all the financial safeguards, double and triple checks, and hidebound processes for moving money around, the actual way it's done is very dependent on a human recognizing a message is from a trusted source. Billion-dollar companies have a bunch of payroll people literally emailing or EDI-ing unencrypted Excel files to their payroll processor showing who to pay what amount, and the only security on that process is that "I'm the payroll clerk, so I know what's going on." Same goes for invoices -- if something looks legit, and it looks like it came from a vendor, it gets paid.

If a company wants to keep these manual processes in place, they need to ensure the channels these messages run over are totally secure. At least train people to pick up a phone and call if they see something out of the ordinary.

"train people to pick up a phone and call if they see something out of the ordinary." At my last job, we really tried to drill this idea into the Accounting department's head. It actually worked, and stopped several potential phishing scams dead in their tracks. They eventually subscribed to Mimecast that actively hooks into their AD to verify (one among many methods) that internal senders are internal senders, only accepting email from specific IP addresses, running sandboxes on all attachments, etc.

I saw this documentary in the mid-90s about hackers putting viruses on supertankers to capsize them. But it really wasn't the hacker. The hackers were the good guys trying to stop the executives who were the real villains. I think it was called 'Computer Hackers' or something.